From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 8 Aug 2016 18:01:08 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.14.75~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=87a5344c03526a7cca03b733fd62f3463bb9183d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
index 5c56c1fb2a4..37f2c9f2c39 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -65,3 +65,4 @@ libceph-apply-new_state-before-new_up_client-on-incrementals.patch
 net-mvneta-set-real-interrupt-per-packet-for-tx_done.patch
 intel_th-pci-add-kaby-lake-pch-h-support.patch
 intel_th-fix-a-deadlock-in-modprobing.patch
+vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
diff --git a/queue-4.4/vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch b/queue-4.4/vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
new file mode 100644
index 00000000000..3db8c77c647
--- /dev/null
+++ b/queue-4.4/vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
@@ -0,0 +1,47 @@
+From c1892c37769cf89c7e7ba57528ae2ccb5d153c9b Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 3 Aug 2016 13:44:27 +0200
+Subject: vfs: fix deadlock in file_remove_privs() on overlayfs
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit c1892c37769cf89c7e7ba57528ae2ccb5d153c9b upstream.
+
+file_remove_privs() is called with inode lock on file_inode(), which
+proceeds to calling notify_change() on file->f_path.dentry.  Which triggers
+the WARN_ON_ONCE(!inode_is_locked(inode)) in addition to deadlocking later
+when ovl_setattr tries to lock the underlying inode again.
+
+Fix this mess by not mixing the layers, but doing everything on underlying
+dentry/inode.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 07a2daab49c5 ("ovl: Copy up underlying inode's ->i_mode to overlay inode")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/inode.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1733,8 +1733,8 @@ static int __remove_privs(struct dentry
+  */
+ int file_remove_privs(struct file *file)
+ {
+-	struct dentry *dentry = file->f_path.dentry;
+-	struct inode *inode = d_inode(dentry);
++	struct dentry *dentry = file_dentry(file);
++	struct inode *inode = file_inode(file);
+ 	int kill;
+ 	int error = 0;
+ 
+@@ -1742,7 +1742,7 @@ int file_remove_privs(struct file *file)
+ 	if (IS_NOSEC(inode))
+ 		return 0;
+ 
+-	kill = file_needs_remove_privs(file);
++	kill = dentry_needs_remove_privs(dentry);
+ 	if (kill < 0)
+ 		return kill;
+ 	if (kill)